Jump to content

Recommended Posts

Hello everyone,
One month ago, I noticed suspicious activities on my FB account. I fully scanned my PC with Windows Defender, which detected Redline Stealer. I removed it, changed all my passwords and disconnected all sessions from my FB account and thought everything was fine.

Two weeks later, my FB account was hacked, with changed logins and 2FA activated. I scanned my PC with every free AV I could think of (including those which are known to remove Redline, like MWB), in vain : nothing was detected. I noticed that the retrieval email and phone number had been changed, and concluded that, since I didn't take care of it the first time, the hackers probably let that as a backdoor to get back into my account. I got back my account by sending my ID, I cleaned all suspicious emails and phone numbers, disconnected all sessions, changed my password and activated 2FA with Google Authenticator on my phone.

Three weeks later, my FB account was hacked again, in despite of the 2FA. I scanned again my PC with new tools, in vain, and started getting into manual techniques : I used Autoruns and Process Explorer to check if there was any unknown program, and scanned everything with Virus Total : nothing.

So I transferred every important project to an external HDD, but didn't make a clean reformatting, first because I don't have any bootable device at hand, and second because I want to be sure that there is no other solution before erasing everything.

Now, here are my questions (I can't find anything clear on Google) :

-Do you think that Redline Stealer is still on my PC? Is it able to get kernel access, in which case its normal that my AVs can't find it.

-How did the hackers bypass my 2FA?

-Can Redline Stealer spread through a Wifi Network?

-Can it infect a file (like a PDF), such that if I send it to a friend, and they open it, their PC becomes infected.

-Can it infect a non Windows device ? Like my phone, which would maybe explain how they got past 2FA.


I know that some viruses can do what I listed above, but I want to have information on the abilities of Redline only, which is, from what I understood, a lowcost virus.

I should add that I also ran scans on my phone, which found nothing.

 

Link to post
Share on other sites

Hello @Hakuro and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I am infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resultant report files in your next reply to this topic.

Thank you.

  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:     @Hakuro

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Sorry for the delay. Give me a moment to check your logs

 

Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features and uninstall the following

  • Java 8 Update 321

 

 

Can you please rename the Farbar program
Current name: C:\Users\sacha\Downloads\FRST64.exe
New name: C:\Users\sacha\Downloads\EnglishFRST64.exe

Then run the scan again with Admin rights and attach back new logs

  • FRST.TXT
  • ADDITION.TXT

 

 

Then run the following as well

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

  • Root Admin

The Microsoft scanner found no issues. Let me have you run another antivirus scanner @Hakuro

 

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

Thanks

 

Link to post
Share on other sites

I tried to analyze the .exe file on virus total. Just when i opened the rar archive, and slided the exe file to virus total, windows defender detected a threat and a Windows Defender panel showed up on the right. When i clicked on it, it opened the windows defender window and I briefly saw "RedlineStealer Trojan" before it disappeared and showed the normal menu with "0 threats detected". Should I be worried? I didn't execute the file at all. 

The rar archive was encrypted so I had to type the password that i remembered. Could anything have happened on decryption?

Link to post
Share on other sites

  • Root Admin

No, Windows Defender did it's job it sounds like and deleted it.

We can run another scan though to ease your worries. Please run Malwarebytes and do a Threat Scan.

Then run the Windows Safety Scanner again.

Pretty sure neither one will find anything.

 

Then when they're done, please run the following for me.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

I'm heading out for a bit, but please run the following as well and I'll check it.

Just delete that file so you don't have issues with it.

 

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

To answer your other question : the last thing that happened that made me suspect an infection is the fact that my Facebook account was hacked again 4 weeks ago. That could be because the virus is still on my PC, or because the hackers let some sort of backdoor the very first time they hacked me, even before I ran the first WD scan.

Anyway, here is the log for SeSecurityCheck.txtcurityCheck.

Link to post
Share on other sites

  • Root Admin

Windows has a policy restricting update. That alone could get you infected.

Then you have a lot of out of date software that could potentially also lead to an attack

 

Please uninstall, update, or otherwise address the following as appropriate for your system

 

 

--------------------------- [ OtherUtilities ] ----------------------------

Git v.2.33.0.2 Warning! Download Update
Microsoft 365 - de-de v.16.0.15726.20202 [+]
Microsoft 365 - en-us v.16.0.15726.20202 [+]
Microsoft 365 - fr-fr v.16.0.15726.20202 [+]
Microsoft 365 - it-it v.16.0.15726.20202 [+]
Microsoft 365 - nl-nl v.16.0.15726.20202 [+]


Python 2.7.15 (64-bit) v.2.7.15150 Warning! Download Update

Node.js v.16.13.0 Warning! Download Update

NVIDIA GeForce Experience 3.23.0.74 v.3.23.0.74 Warning! Download Update

Dell SupportAssist v.3.12.2.40 Warning! Download Update

GitHub Desktop v.3.0.1 Warning! Download Update

Python 3.9.0 (64-bit) v.3.9.150.0 Warning! Download Update

Wireshark 3.6.1 64-bit v.3.6.1 Warning! Download Update


------------------------------ [ ArchAndFM ] ------------------------------

7-Zip 19.00 (x64) v.19.00 Warning! Download Update
Uninstall old version and install new one.

WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update


------------------------------- [ Imaging ] -------------------------------

paint.net v.4.2.14 Warning! Download Update


-------------------------- [ IMAndCollaborate ] ---------------------------

Signal 5.27.1 v.5.27.1 Warning! Download Update

Discord v.0.0.309 Warning! Download Update

Zoom v.5.9.1 (2581) Warning! Download Update


-------------------------------- [ Media ] --------------------------------

Audacity 2.4.2 v.2.4.2 Warning! Download Update

 

 

Then remove the restrictions on Windows Update and click on START and type in "Check for updates" and allow Windows to scan for and install any updates it finds.

Thanks

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.